lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJuCfpECC9w6RdfbH34Y906uV=egUDct=6H54Xn79okKK80cjw@mail.gmail.com>
Date: Thu, 7 Aug 2025 19:48:40 +0000
From: Suren Baghdasaryan <surenb@...gle.com>
To: David Hildenbrand <david@...hat.com>
Cc: akpm@...ux-foundation.org, peterx@...hat.com, aarcange@...hat.com, 
	lokeshgidra@...gle.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org, 
	syzbot+b446dbe27035ef6bd6c2@...kaller.appspotmail.com, stable@...r.kernel.org
Subject: Re: [PATCH v4 1/1] userfaultfd: fix a crash in UFFDIO_MOVE when PMD
 is a migration entry

On Thu, Aug 7, 2025 at 7:42 PM David Hildenbrand <david@...hat.com> wrote:
>
> On 07.08.25 17:27, Suren Baghdasaryan wrote:
> > On Thu, Aug 7, 2025 at 3:31 AM David Hildenbrand <david@...hat.com> wrote:
> >>
> >> On 07.08.25 00:00, Suren Baghdasaryan wrote:
> >>> When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with
> >>> obtaining a folio and accessing it even though the entry is swp_entry_t.
> >>> Add the missing check and let split_huge_pmd() handle migration entries.
> >>>
> >>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI")
> >>> Reported-by: syzbot+b446dbe27035ef6bd6c2@...kaller.appspotmail.com
> >>> Closes: https://lore.kernel.org/all/68794b5c.a70a0220.693ce.0050.GAE@google.com/
> >>> Signed-off-by: Suren Baghdasaryan <surenb@...gle.com>
> >>> Reviewed-by: Peter Xu <peterx@...hat.com>
> >>> Cc: stable@...r.kernel.org
> >>> ---
> >>> Changes since v3 [1]
> >>> - Updated the title and changelog, per Peter Xu
> >>> - Added Reviewed-by: per Peter Xu
> >>>
> >>> [1] https://lore.kernel.org/all/20250806154015.769024-1-surenb@google.com/
> >>>
> >>>    mm/userfaultfd.c | 17 ++++++++++-------
> >>>    1 file changed, 10 insertions(+), 7 deletions(-)
> >>>
> >>> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> >>> index 5431c9dd7fd7..116481606be8 100644
> >>> --- a/mm/userfaultfd.c
> >>> +++ b/mm/userfaultfd.c
> >>> @@ -1826,13 +1826,16 @@ ssize_t move_pages(struct userfaultfd_ctx *ctx, unsigned long dst_start,
> >>>                        /* Check if we can move the pmd without splitting it. */
> >>>                        if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) ||
> >>>                            !pmd_none(dst_pmdval)) {
> >>> -                             struct folio *folio = pmd_folio(*src_pmd);
> >>> -
> >>> -                             if (!folio || (!is_huge_zero_folio(folio) &&
> >>> -                                            !PageAnonExclusive(&folio->page))) {
> >>> -                                     spin_unlock(ptl);
> >>> -                                     err = -EBUSY;
> >>> -                                     break;
> >>> +                             /* Can be a migration entry */
> >>> +                             if (pmd_present(*src_pmd)) {
> >>> +                                     struct folio *folio = pmd_folio(*src_pmd);
> >>> +
> >>> +                                     if (!folio
> >>
> >>
> >> How could you get !folio here? That only makes sense when calling
> >> vm_normal_folio_pmd(), no?
> >
> > Yes, I think you are right, this check is not needed. I can fold it
> > into this fix or post a separate cleanup patch. I'm guessing a
> > separate patch would be better?
>
> I think you can just post a fixup inline here and ask Andrew to squash
> it. He will shout if he wants a completely new version :)

I wouldn't do that to him! :)
Let me quickly send an updated version instead.

>
> --
> Cheers,
>
> David / dhildenb
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ